Fears China could cyber attack the NHS by exploiting software flaw that saw ‘hostile’ Beijing-backed actors access personal details of 40million Brits

Chinese hackers could bring the NHS to its knees by exploiting a known software flaw, experts warn.

Deputy Prime Minister Oliver Dowden today blamed ‘hostile’ Beijing-backed actors for a series of cyber attacks on the British public and elected officials. 

This includes a ‘complex’ 2021 attack on the Electoral Commission, the body which oversees elections and political donations in Britain.

The cyber attack – which went undetected for a year – breached personal details, including the names and addresses of 40million Brits. 

It is not known for certain how much of this information was accessed.

Cyber security experts fear Brits’ medical data held by the NHS could also be at risk from the same software flaw used to hack the Electoral Commission.

Patrick Burgess, information security specialist at the British Computer Society, The Chartered Institute for IT, told MailOnline: ‘It has been reported that the initial ingress point for the Electoral Commission attack may well have been through the Exchange Server Vulnerabilities.

‘The NHS will absolutely be utilising this software along with a significant number of other organisations.’ 

Mr Burgess claimed, in real terms, a similar attack to the Electoral Commission on the NHS could have far reaching consequences, including potentially the blackmail of individuals.  

He said: ‘The NHS holds lots of personal data in lots of systems.

‘An attack on any of these which resulted in confidential data being leaked could be very painful for the individuals and lead to a risk of blackmail or phishing.

‘If this were to happen it would be critical that the NHS communicated quickly and clearly with the impacted individuals so they could be prepared for any further escalation.’

Mr Burgess, whose organisation has royal charter to set and maintain standards within the IT profession, added a politically-motivated ransomware attack was also a possibility if actors managed to access NHS systems ahead of time.  

‘The chance of a ransomware attack on national infrastructure is real and could be timed to coincide with a political event,’ he said.

However, Mr Burgess said that in contrast to the WannaCry attack on the NHS in 2017, which was an opportunistic attack, a politically-motivated equivalent would require hackers to be in a system already, waiting for orders to strike.

The upside of this is there is a chance NHS IT professionals could spot the hackers before the attack was launched and stop access, he said.

‘This would be where our monitoring and detection systems would have a chance to detect the behaviour before it became reality,’ he said.

However, echoing concerns from MPs and PM Rishi Sunak, Mr Burgess said the cyber threat posed by a nation like China cannot be underestimated. 

‘This level of threat actor, in this case reported to be China, has significant resource and expertise and we should continually be looking at our security posture to protect against past, current and emerging threats,’ he said.

He said unknown software vulnerabilities that allow hackers to access data are among the biggest cyber threats to organisations, something state-actors like China are keenly aware of. 

‘Threat actors such as China are continuously looking for these to exploit and the software manufacturers are continuously having to react to patch,’ he said.

‘We need to ensure rigorous update and monitoring policies are in place to mitigate these issues as fast as possible when they emerge.’

Mr Burgess added cyberattacks are impossible to fully prevent and the NHS should have preparations in place in what to do should they occur.  

‘As it is impossible to make the risk of an attack zero, we have to work under the assumption it will happen at some point and implement multiple layers of protection for data, so we are not just relying on one,’ he said. 

He added: ‘When they do happen, we need to be better at communicating quickly to the impacted individuals what has happened and what they can do to minimise the impact on themselves.’

An NHS England spokesperson said: ‘The NHS faces a broad range of cyber threats and over £338million has been invested since 2017 to help keep health and care organisations safe.

‘NHS cyber security specialists monitor for new threats 24 hours a day and we also support organisations across the NHS with advice, assessments, and training.’

The NHS didn’t comment on any specific steps it has taken in the wake of the Electoral Commission hack to protect patients’ data.

It also didn’t confirm if any similar data breaches had occurred since August 2021.

The UK’s data watchdog the Information Commissioner’s Office (ICO) said it was unable to confirm if any data breaches similar to that suffered by the Electoral Commission have occurred in the NHS due the way data breaches are recorded.

An ICO spokesperson added: ‘Our enquiries into the Electoral Commission incident are ongoing. 

‘If anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support.’ 

It comes as Deputy PM Oliver Dowden is expected to take the dramatic step of accusing China of being behind a hack that accessed the personal details of 40million Brits. 

He is set to link China to the attack on the Electoral Commission, which admitted last August that ‘hostile actors’ had got into its systems as far back as 2021. 

In a statement to the Commons this afternoon, Mr Dowden is also set to point the finger over the ‘impersonation’ of MPs online. 

Officials could be subject to sanctions, with the action likely to be coordinated with other Western countries.

However, critics have accused the government of acting too slowly and raised concerns that the response will not go far enough.

China’s foreign ministry has today insisted that countries should not ‘spread disinformation’ by making accusations without a ‘factual basis’.  

A small group of politicians who are hawkish on China are also said to have been called to a briefing by Parliament’s director of security, Alison Giles, in relation to the cyber activity.

They include former Tory leader Sir Iain Duncan Smith, former minister Tim Loughton, crossbench peer Lord Alton and SNP MP Stewart McDonald.

The four are members of the Inter-Parliamentary Alliance on China (IPAC) pressure group, which focuses on issues involving the increasingly assertive Asian power.

In a statement today, Sir Iain, Mr Loughton and Mr McDonald said: ‘Together with other members of parliament, activists, and dissidents, we have been subjected to harassment, impersonation, and attempted hacking from China for some time.’

‘Neither we, nor other parliamentary colleagues, will be bullied into silence by Beijing. For years the behaviour of the Chinese government has gone unchecked. 

‘Today’s announcement should mark a watershed moment where the UK takes a stand for values, human rights, and the international rules based system, upon which we all depend.’

Luke de Pulford, executive director of IPAC, told the BBC‘s Today programme that the government had taken two years to ‘call out’ the behaviour of China.

He said it was ‘ludicrous’ there is still a debate on whether China should be treated as posing an ‘enhanced’ risk of meddling. 

But China’s Foreign Ministry said Beijing is a ‘main target’ of hacking, suggesting that the UK needed to cooperate more.

According to a translation, spokesman Lin Jian said: ‘We combat all sorts of malicious actions online, and we advocate all countries to deal with this together through dialogues and cooperation.

‘Tracking of origins of cyber attacks is highly sensitive and complicated. It must be fully backed with objective evidence, and one should not pin the blame on certain countries without any factual basis.’

He added that countries needed to ‘stop spreading disinformation and take a responsible attitude’.